Four Mistakes to Avoid When Hiring Your Next Security Chief

Recruiting a top-notch chief information security officer is often a company’s most important hire. If that seems like hyperbole, just ask the boards of directors of The Home Depot, Sony Pictures, Target, or any other organization whose corporate data was breached recently.

Industry, company culture and technology implementation are all factors that help determine the right CISO for any given job. Boards and CEOs are still learning about the CISO role, and because there is no single job description, many companies default to legacy views—and get it wrong. Four mistakes are most common:

Thinking too tactically. Until recently, it was enough to have a tech-savvy leader who played defense by rolling out robust security software and making sure it was kept up-to-date. Today’s CISO must have an enterprise-level understanding of cyber risks and be able to communicate them to the board.

For example, a tech services firm recognized its cybersecurity leader wasn’t business-minded enough to support the company’s solutions business — one, ironically, focused on cybersecurity. The leader could manage the security challenges, but struggled to get things done across a matrix organization, and wasn’t viewed as a peer by the other business leaders—a requirement if the solutions business was to grow.

Mismanaging the reporting structure. To whom CISOs report and what access and influence they have are as important as their qualifications and experience. The role must be senior enough for the CISO to gain the respect of C-level executives and the board.

Yet just because the CISO job touches technology doesn’t mean it should always report to the CIO. A security chief hailing from the legacy compliance world could be out of place working for the IT chief. Similarly, a CISO steeped in cyber everything might suffer under the chief risk officer.

Conflict of interest is another risk. It’s never easy to tell your boss that her network is the source of the organization’s cybersecurity problems, particularly when it will cost big money to fix. Yet this happens frequently when CISOs report to CIOs.

Smart companies respond to this issue in different ways. Some elevate the function; others split the role so its risk component reports to the chief risk officer, the IT security part answers to the CIO, and physical security is under the general counsel.

Overemphasizing technical qualifications. “Tech cred” shouldn’t eclipse communication, collaboration, influencing ability, and the candidate’s fit with company culture. For example, a CISO who comes from a government or military background (where security is often the only priority) may not be effective at encouraging colleagues to change deeply ingrained behaviors in order to avoid cyber risks.

Similarly, the new CISO who consorts largely with the organization’s tech community — and can’t speak the language of business — is not doing the job; one who puts the board to sleep with tech talk will not be invited back.

Too many companies don’t attempt board interaction.A 2015 PwC study on cybecrime found that 28% of security leaders make no presentations at all to the board. By contrast, forward-looking companies actively encourage CISO–board interaction, for example, by bringing CISOs in to co-present to audit committees, or by pairing CISOs with seasoned executives elsewhere in the business to learn the ropes.

Unicorn hunting. We have seen companies wait in vain to land the ideal security leader — someone who bundles tremendous risk savvy with executive chops, collaborative skills, and a terrific suite of cyber skills — only to lose well-qualified candidates to faster competitors. One company recently lost seven months and several good candidates in this way.

For any role, “perfect” is rarely manifested in one person, and cybersecurity is no different. It’s better to start with organizational fit and a systematic look at a candidate’s strengths against the organization’s future needs.

It’s also worth considering splitting the role among two or three individuals, each mastering a component of the job. Or a strong second-in-command can complement the shortfalls of an otherwise “perfect” candidate. A large technology company that was spinning off a subsidiary took a variation approach. When company leaders realized that perfect wasn’t to be found, they spread cybersecurity across corporate security, information and application security, and risk and compliance. Composite, flexible approaches may seem messy, but are far better than waiting for candidates who don’t exist—or waiting for the next cyberattack.

Matt Aiello, co-lead Cybersecurity Practice at Heidrick & Struggles, specializes in the recruitment of global senior-level cyber, engineering, chief information and technology executives. Fellow co-lead Phil Schneidermeyer works with clients across all industries and is recognized for his work in recruiting information security and other technology leaders.